The Acecard Android Trojan has been around for quite some time. We wrote about Acecard in February this year, but in fact the malware has been attacking devices since 2014, when it was first detected. Back in February,
the Trojan was specifically targeting multiple banks.
Acecard is currently being deployed in new attacks, and that’s quite unfortunate considering that it’s one of the worst Android malware pieces today.
Acecard’s Latest Campaign Targets Users in Singapore and Hong Kong
Apparently, the latest version of the malware is hidden inside different apps masqueraded as Adobe Flash Player, pornographic apps, and video codecs, McAfee researchers report. The apps are distributed outside of Google Play Store and are persistently annoying users with permission requirement screens until admin rights are achieved.
As soon as the malicious app is executed by the user, it hides the icon from the home launcher and constantly asks for device administrator privileges to make its removal difficult.
When it is running in the background, the malware constantly monitors the opening of specific apps to show the user its main phishing overlay, pretending to be Google Play and asking for a credit card number.
Once the credit card number is validated, the next phishing overlay asks for more personal and credit card information such as cardholder name, date of birth, phone number, credit card expiration date, and CCV.
Finally, Acecard will prompt the user to take a picture of the front and back side of his ID card. Then, the user is asked to hold the ID in his hand and take a selfie. Why is this done?
[This is] very useful for a cybercriminal to confirm a victim’s identity and access not only to banking accounts, but probably also even social networks.
Thanks to this smart but quite vicious tactic the attacker can verify illegal transactions or even confirm he’s the owner of hijacker social media profiles. No wonder that the Trojan also collects credentials for social media apps like Facebook, WhatsApp, WeChat, Viber, and other apps like Dropbox and Google Videos.
The updated Trojan is mostly successful with less tech-savvy users that haven’t used smartphones and aren’t aware of the normal behavior of an app.